[ale] Let's crack Bob Toxen's systems!

Christopher Bergeron christopher at bergeron.com
Fri Jan 31 18:47:43 EST 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
/root/gold == "Fly by Day, Not by Night"

:)

- -CB



Bob Toxen wrote:

|The "Hack Bob's network" went on as scheduled.  The firewall received a 
little
|bit of additional hardening but mostly I just removed a bit of confidential
|data on it and overwrote each disk's free space so someone searching the
|raw disk devices would not find it.  I also disconnected my main systems
|from the network as they had confidential data on them.  I left a desktop
|workstation on in case anyone got through the firewall and wanted a system
|to attack.
|
|64 different IP addresses were detected trying to break into my network
|during the show and were permanently locked out of my network within
|milliseconds.  The most commonly attacked ports were 80, 22, 111 (portmap),
|79 (finger), and port 43 (whois).
|
|Dow wrote:
|
|>PS.  My satisfaction (though much less educated) will weigh more than
|>Bob's since he, though completely honest, will not want to admit to
|>being hacked.
|
|
|Actually, I would be honor-bound to admit it.  I did create a file
|called /root/gold on the firewall and one client (desktop) system that I
|left on the network, each with a phrase in it.  Anyone who could tell
|what either phrase was would have proof of success.
|
|
|"wrnash" <wrnash at wrnash.net> wrote:
|
|>If I knew that a hacker was going to hack my system on a certain date I
|>would just lock everything out to where nothing could get in the when
|>the event was over I open just the port I needed again.
|
|
|That would not be fair.  I value my integrity and honesty above all else.
|
|My firewall had an SSH daemon listening on port 22 with no changes from
|normal operation.  When I announced this during the show I got a flood
|of attacks on this port.  About ten minutes later into the show I mentioned
|that the Cracker Trap will lock out any IP address that connected to it
|other than the few I allow access.
|
|The desktop system left on the network was a lightly hardened Linux system.
|
|>Do you think bob would do the same. Maybe we need to wait a couple of
|>days to hack his system.  Like in the book the art of war.  When they
|>think you are near be far when they think you are far be near.
|
|
|I granted permission for people to try to hack in during the show.
|Anyone deciding to do it later on is committing a crime under both
|state and Federal law.  Anyone intentionally helping them by providing
|information, etc., probably is guilty of conspiracy.
|
|>Bill Nash
|
|
|
|Geoffrey wrote:
|
|>Dow Hurst wrote:
|>
|>>Maybe I think I've got a sure bet! ;-)
|
|
|>I think you do. :)
|
|
|*I* was not 100% confident as no security is 100%.  (I hate security
|companies and books that promise to "hack proof" their clients.
|
|While unlikely, I treated both systems as possibly compromised.
|I proceeded to do a very detailed "uncracking" procedure on the firewall,
|as discussed in Part IV of my book.  I booted from trusted media (R/O
|floppies that had networking built in).  I then used the compare feature
|of tar to compare every single file on my full backup to the respective
|file on disk, both for data and ownership and permissions.
|
|I then used the find command to find all files that had an access time
|older than when I started the tar and analyzed the results to see if
|any new files were left by a cracker as Trojans (such as compromised
|versions of common utilities in /tmp hoping that "." is in $PATH)
|or Trojan'ed copies of dynamic libraries in /lib to be found before
|the proper ones in /usr/lib.  No abnormalities were found.
|
|At this point I had proved that the firewall was not compromised and it
|was ready for business.  This took a while.  Since my client system was
|pretty stock, rather than "uncracking" it I just reinstalled from scratch.
|(Had someone gotten in I would know exactly what extra files to remove
|and what altered files to restore from backup.)
|
|This is why it has taken so long to respond to other posts.  (Tuesday
|prior to the show I was very busy both hardening my network and taking
|care of clients.)
|
|
|Harold Bieber <habieb at myrealbox.com> wrote:
|
|>Hey Dow! Make it really interesting... the person that cracks his system
|>gets the $25, but those that attempt to crack it and don't, Bob gets to
|>crack their systems.
|
|
|64*$25=$1600 ;^)
|
|Bob Toxen
|bob at verysecurelinux.com               [Please use for email to me]
|http://www.verysecurelinux.com        [Network&Linux/Unix security 
consulting]
|http://www.realworldlinuxsecurity.com [My book:"Real World Linux 
Security 2/e"]
|Quality Linux & UNIX security and SysAdmin & software consulting since 
1990.
|
|"Microsoft: Unsafe at any clock speed!"
|   -- Bob Toxen 10/03/2002
|_______________________________________________
|Ale mailing list
|Ale at ale.org
|http://www.ale.org/mailman/listinfo/ale
|
|

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQE+OwseTKCy0t3zQgURAkdSAKDMR+vEjYfCNBgj9wmQ8J9n8pv8bQCg9F9A
gDnCoxspW+yx46ywhetyqv0=
=kqEf
-----END PGP SIGNATURE-----


_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list